New BIOS security standards aimed at fighting rootkit attacks

There's a growing threat of attacks on computer basic input/output system (BIOS) firmware, and to deter it, the National Institute of Standards and Technology (NIST) is putting in place new security guidelines for updating the BIOS. And in doing this, NIST is getting high-tech manufacturing to raise the bar on security.

"Last September, the first BIOS-based rootkit in the wild was discovered, called Mebromi," notes Andrew Regenscheid, math researcher and project leader in NIST's computer security division. While criminals creating malware have spent far more time over the years targeting Windowsapplications and operating systems (OS), the potential for wreaking serious havoc by subverting the BIOS, which typically works to do jobs such as load the OS, is of growing concern.

So through new security guidelines that will influence what computers the federal government buys in the future, NIST is setting standards that require authentication of BIOS update mechanisms.

Just this week NIST put out for public comment its proposed federal standard, "BIOS Protection Guidelines for Servers," with comment sought through mid-September. The intent is to stop any cyberattack related to "unauthorized modification of BIOS firmware by malicious software."

The NIST document basically says government buyers of servers in the future -- whether these are basic servers, managed servers or blade servers -- will be checking to see if gear they are thinking of getting has any way to "authenticate BIOS update mechanism," "secure local update mechanisms," and if there's "firmware integrity protection" and "non-bypassability features."

Encryption-based digital signatures and public-key certificates, among other techniques, are viewed as means of creating these security controls, but NIST isn't dictating specific processes, according to Regenscheid.

He says the concern is that manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the malware threat growing, it's time to focus on the BIOS, Regenscheid points out.

NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. "Microsoft Windows 8 has BIOS protection for the desktop," he points out.

Security for server BIOS may be more complicated and call for support from OEM manufacturers such as Dell, HP and Lenovo. "We're proposing a tightly controlled update process," says Regenscheid. Proposed standards from NIST typically are approved and take effect within six months.

At that point, the "BIOS Protection Guidelines for Servers" will be a federal standard that is likely to also impact what the government acquires, just as the client BIOS security standard did. One question: Since the federal government is increasingly involved in buying cloud-based services, should cloud providers be asked to support secure BIOS? Regenscheid says that's something that surely will be brought up in discussions by people in government who write procurement requirements.

Another question is whether NIST will address this BIOS issue in regard to newer mobile devices, such as tablets from Apple or Google manufacturers, that the federal government is increasingly interested in using. Regenscheid acknowledges NIST is taking a hard look at this, as well as planning several new security standards related to mobile that will be unveiled in the course of the next year.

But NIST isn't tackling these issues by directly changing Android code, for example. Instead, NIST is quietly communicating the federal government's ideas directly to the high-tech manufacturers in the mobile world. "We're reaching out to Google and Apple and Microsoft and talking to them about features we'd like to see," says Regenscheid.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.